Yournotify Security & Risk Analysis

The "yournotify" plugin v2.1.7 presents a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries, a high percentage of properly escaped output, and a lack of dangerous functions, file operations, or bundled libraries. The vulnerability history is also clean, indicating a generally well-maintained plugin. However, there are significant concerns regarding the attack surface, particularly the presence of multiple unprotected entry points.

Specifically, the analysis reveals 10 AJAX handlers with 5 lacking authentication checks and 8 REST API routes with 1 missing permission callbacks. While no critical or high-severity taint flows were identified, the "flows with unsanitized paths" are a concern as they could potentially lead to vulnerabilities if exploited, even if not immediately critical. The lack of nonce checks on some AJAX handlers is a common oversight that can be exploited for cross-site request forgery (CSRF) attacks. The vulnerability history, while currently empty, does not guarantee future security, and the identified unprotected entry points remain a primary risk.

In conclusion, "yournotify" v2.1.7 has strengths in its code hygiene for database interactions and output handling. However, the substantial number of unprotected AJAX handlers and REST API routes presents a significant risk. Developers should prioritize implementing proper authentication and permission checks on all exposed endpoints to mitigate potential exploits. The identified unsanitized paths also warrant investigation and remediation.